#set authentication #dot1x ssid SIDDNAME ** pass-through webview-default Pass-Through should have allowed direct authentication between the Windows client and the Microsoft NAP server. I reasoned vendor specific attributes were not necessary between a Windows server and client. Expired accounts continued to fail authentication after the change to the authentication method.My focus changed to the Windows client wireless settings. The problem specifically stemmed from the client's wireless single sign-on (SSO) settings. I plan to implement computer + user authentication at a future date but for the time only user mode is enabled.Ironically, SSO is designed to resolve problems with user-only authentication:

User cannot log into the domain because connection to the domain controllers are not available. Locally cached credentials are used to authenticate (sometimes incorrectly) to the Radius server.

I removed all SSO options from the Windows wireless client under "advanced" settings:

N.B., Under the EAP-MSCHAP v 2 configuration, I was able to check "Automatically use my Windows logon name and password (and domain if any)":

After I removed SSO expired accounts were able to pick a new password and complete the network connection. I still believe it is still possible to use SSO with only 802.1X user authentication -my situation didn't require further research. I also suspect the SSO would have worked, had I used both computer authentication and user authentication.

The Juniper WLC wireless controllers use a simple GUI that is normally sufficient for management tasks. There are occasions when using the CMD line is necessary. This is a short list that I'll update from time-to-time.

About Me

Steven Jordan is an infrastructure and process management specialist. Steven holds a Master of Science degree in ICT from the University of Wisconsin Stout.
Steven is also a Cisco Certified Network Professional (CCNP) and a University of Wisconsin Extension Master Gardener.